The federal investigation stemmed from the loss of unencrypted backup tapes containing patient data, which were maintained by the hospital’s parent company.

A Rhode Island hospital agreed this month to pay $550,000 in settlements after failing to properly update business associate agreements as required under the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA), federal authorities said.

“WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until Aug. 28, 2015, as a result of OCR’s investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule,” according to a Sept. 23 OCR news release announcing the settlements.

The total amount to be paid by WIH is actually comprised of two settlements.

A $400,000 payment is intended to address the federal probe, which found that WIH disclosed protected health information (PHI) to CNE, without “obtaining satisfactory assurances as required under HIPAA,” in the form of a written business associate agreement that CNE would safeguard the PHI.

“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” said OCR Director Jocelyn Samuels.

“The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting,” she continued. “A sample Business Associate Agreement can be found on OCR’s website to assist covered entities in complying with this requirement.”

Another $150,000 consent judgment is being paid to the Massachusetts Attorney General’s Office in response to the hospital’s conduct in the underlying breach, including failing to provide adequate safeguards and failing to notify affected people in a timely manner.

“While the AGO’s actions do not legally preclude OCR from imposing civil money penalties, OCR determined not to include additional potential violations in this case for the purposes of settlement, given that such potential violations had already been addressed by the AGO and based on OCR’s policy approach to concurrent cases with State AGOs,” the federal news release said.

The $400,000 settlement with OCR brings the total amount of settlements for HIPAA security violations to $20.7 million this year, up sharply from $6.2 million in all of 2015.

Websites are now required by law to gain your consent before applying cookies. We use cookies to improve your
browsing experience. Parts of the website may not work as expected without them. By closing or ignoring this
message, you are consenting to our use of cookies.